Bug 912982 (CVE-2013-1665)

Summary: CVE-2013-1665 Python xml bindings: External entity expansion in Python XML libraries inflicts potential security flaws and DoS vulnerabilities
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: c.david86, mjc, ohudlick, paul, veillard
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20130219,reported=20130218,source=upstream,cvss2=5.8/AV:N/AC:M/Au:N/C:P/I:N/A:P,fedora-all/python=affected,fedora-all/python3=affected,rhel-5/python=wontfix,rhel-6/python=wontfix,rhel-7/python=wontfix,epel-6/Django14=affected,openstack-1/Django14=affected,openstack-2.1/Django14=affected,fedora-all/openstack-keystone=affected,epel-6/openstack-keystone=affected,openstack-1/openstack-keystone=affected,openstack-2.1/openstack-keystone=affected,fedora-all/openstack-nova=affected,epel-6/openstack-nova=affected,openstack-1/openstack-nova=affected,openstack-2.1/openstack-nova=affected,fedora-18/openstack-cinder=affected,epel-6/openstack-cinder=affected,openstack-2.1/openstack-cinder=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-03 06:21:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 910221, 910222, 910232, 913054, 917199, 917200    
Bug Blocks: 916494, 916496, 916499, 916886, 1067315    

Description Kurt Seifried 2013-02-20 05:47:04 UTC
Christian Heimes <christian@python.org> reports:

Entity declarations can contain more than just text for replacement. They can 
also point to external resources by public identifiers or system identifiers. 
System identifiers are standard URIs. When the URI is a URL (e.g. a http:// 
locator) some parsers download the resource from the remote location and embed 
them into the XML document verbatim.

Using External entity expansion opens the door to plenty of exploits. An attacker can abuse a vulnerable XML library and application to rebound and forward network 
requests with the IP address of the server. It highly depends on the parser and 
the application what kind of exploit is possible. For example:

* An attacker can circumvent firewalls and gain access to restricted resources as 
all the requests are made from an internal and trustworthy IP address, not from 
the outside.
* An attacker can abuse a service to attack, spy on or DoS your servers but also 
third party services. The attack is disguised with the IP address of the server 
and the attacker is able to utilize the high bandwidth of a big machine.
* An attacker can exhaust additional resources on the machine, e.g. with requests 
to a service that doesn't respond or responds with very large files.
* An attacker may gain knowledge, when, how often and from which IP address a XML 
document is accessed.
* An attacker could send mail from inside your network if the URL handler 
supports smtp:// URIs.

External reference:

Comment 8 errata-xmlrpc 2013-03-05 21:01:59 UTC
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0596 https://rhn.redhat.com/errata/RHSA-2013-0596.html

Comment 9 errata-xmlrpc 2013-03-21 18:12:26 UTC
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0670 https://rhn.redhat.com/errata/RHSA-2013-0670.html

Comment 10 errata-xmlrpc 2013-03-21 18:13:37 UTC
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0658 https://rhn.redhat.com/errata/RHSA-2013-0658.html

Comment 11 errata-xmlrpc 2013-03-21 18:16:35 UTC
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0657 https://rhn.redhat.com/errata/RHSA-2013-0657.html

Comment 12 Huzaifa S. Sidhpurwala 2015-08-03 06:21:17 UTC
Python’s interfaces for processing XML are grouped in the xml module, which is a part of the python package. The XML modules are not secure against erroneous or maliciously constructed data, and such data should not be directly parsed via python's xml modules.

This is clearly documented at:

Python upstream suggests the use of "defusedxml" packages, but they break backward compatibility.


This issue affects the versions of python as shipped with Red Hat Enterprise Linux 5, 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates.